lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 25 Jun 2018 20:37:09 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] x86/microcode/AMD: Check patch size for all known
 CPU families

On Sat, Jun 23, 2018 at 12:33:24AM +0200, Maciej S. Szmigiero wrote:
> Previously, the AMD microcode update driver has only checked the indicated
> microcode patch size for patches for the currently running CPU family.
> Patches for other families had their size trusted without further
> verification.
> 
> Introduce such check for all CPU families known to the driver so if we spot
> a patch that is longer than expected for its family we'll carefully skip
> over only the expected length to make sure we don't miss good patches in
> case the indicated patch size was something nonsensically huge.
> 
> Signed-off-by: Maciej S. Szmigiero <mail@...iej.szmigiero.name>
> ---
> This is part 2/2 of a replacement for
> "[PATCH v7 3/9] x86/microcode/AMD: Integrate verify_patch_size() into verify_patch()".
> 
>  arch/x86/kernel/cpu/microcode/amd.c | 67 ++++++++++++++++-------------
>  1 file changed, 37 insertions(+), 30 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
> index 53820b92aabb..04a298da4c21 100644
> --- a/arch/x86/kernel/cpu/microcode/amd.c
> +++ b/arch/x86/kernel/cpu/microcode/amd.c
> @@ -201,43 +201,31 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
>  	hdr = (const u32 *)buf;
>  	patch_size = hdr[1];
>  
> -	if (buf_size - SECTION_HDR_SIZE < patch_size) {
> +	if (buf_size - SECTION_HDR_SIZE < sizeof(*mc_hdr)) {

This function adds and removes SECTION_HDR_SIZE a bunch of times so that
my head spins trying to remind myself which is which. Please define
properly named local variables.

>  		if (!early)
> -			pr_err("Patch of size %u truncated.\n", patch_size);
> +			pr_err("Truncated patch header.\n");
>  
>  		*crnt_size = buf_size;
>  		return false;
>  	}
>  
> -	/*
> -	 * Set a patch length limit of slightly less than U32_MAX to
> -	 * prevent overflowing 32-bit variables holding the whole
> -	 * patch section size.
> -	 */
> -	if (patch_size > U32_MAX - SECTION_HDR_SIZE) {
> -		if (!early)
> -			pr_err("Patch of size %u too large.\n", patch_size);
> -
> -		*crnt_size = SECTION_HDR_SIZE + PATCH_MAX_SIZE;
> -		return false;
> -	}
> -
> -	*crnt_size = SECTION_HDR_SIZE + patch_size;
> -
>  	mc_hdr = (const struct microcode_header_amd *)(buf + SECTION_HDR_SIZE);
>  	patch_fam = 0xf + (mc_hdr->processor_rev_id >> 12);
>  
> -	/* Is the patch for the proper CPU family? */
> -	if (family != patch_fam)
> -		return false;
> -
> +	/*
> +	 * Check whether patch_size isn't something nonsensically huge so
> +	 * we don't skip over good patches by mistake.
> +	 */
>  #define F1XH_MPB_MAX_SIZE 2048
>  #define F14H_MPB_MAX_SIZE 1824
>  #define F15H_MPB_MAX_SIZE 4096
>  #define F16H_MPB_MAX_SIZE 3458
>  #define F17H_MPB_MAX_SIZE 3200
>  
> -	switch (family) {
> +	switch (patch_fam) {
> +	case 0x10 ... 0x13:
> +		max_size = F1XH_MPB_MAX_SIZE;

I guess this variable should be called fam_size now.

> +		break;
>  	case 0x14:
>  		max_size = F14H_MPB_MAX_SIZE;
>  		break;
> @@ -251,22 +239,41 @@ static bool verify_patch(u8 family, const u8 *buf, size_t buf_size,
>  		max_size = F17H_MPB_MAX_SIZE;
>  		break;
>  	default:
> -		max_size = F1XH_MPB_MAX_SIZE;
> +		/*
> +		 * Don't know the max size for future families...
> +		 * Set a patch length limit of slightly less than U32_MAX to
> +		 * prevent overflowing 32-bit variables holding the whole
> +		 * patch section size.
> +		 */
> +		max_size = U32_MAX - SECTION_HDR_SIZE;

No, just do a WARN_ON_ONCE here.

>  		break;
>  	}
>  
> -	/*
> -	 * The section header length is not included in this indicated size
> -	 * but is present in the leftover file length so we need to subtract
> -	 * it from the leftover file length.
> -	 */
> -	if (patch_size > min_t(u32, buf_size - SECTION_HDR_SIZE, max_size)) {
> +	if (patch_size > max_size) {
> +		if (!early)
> +			pr_err("Patch of size %u exceeds family %u maximum.\n",
> +			       patch_size, (unsigned int)patch_fam);
> +
> +		*crnt_size = min_t(unsigned int,
> +				   SECTION_HDR_SIZE + max_size,
> +				   buf_size);
> +		return false;
> +	}
> +
> +	if (buf_size - SECTION_HDR_SIZE < patch_size) {
>  		if (!early)
> -			pr_err("Patch of size %u too large.\n", patch_size);
> +			pr_err("Patch of size %u truncated.\n", patch_size);
>  
> +		*crnt_size = buf_size;
>  		return false;
>  	}
>  
> +	*crnt_size = SECTION_HDR_SIZE + patch_size;
> +
> +	/* Is the patch for the proper CPU family? */
> +	if (family != patch_fam)
> +		return false;

Why are you moving the family check down?

What it should do instead is the moment it knows the family, check
whether they're equal. If not, skip over with minimum of the size of the
corresponding patch_fam and buf_size.

And then you do all the remaining checks.

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ